[olug] arp poisioning

Dan Linder dan at linder.org
Tue Jul 6 16:56:20 UTC 2010

On Fri, 2010-07-02 at 19:55 -0500, Aaron Keck wrote:
> What behavior is making you suspicious of arp-poisoning in the first

On Sat, Jul 3, 2010 at 14:13, jesse <jmoseman01 at gmail.com> wrote:
> like once a week we get redirected to weird sites and we live in a
> college town.

Assuming the "weird sites" you're referring to are external to your network
(i.e. www.ibm.com, www.apple.com, www.google.com, etc), then that's probably
not an ARP spoofing attack.

When you say "redirected to weird sites", do you mean that you browse to an
external web site such as "www.somesite.com" but end up going to "
www.someothersite.com", and the URL is changed too?

Or do you you try to connect to an internal server (i.e., but your
session ends up connecting to a different internal server (

You could setup a Linux box to save the results of "arp -anv" and "dig
@INTERNAL_DNS_SERVER www.somesite.com" to a local file, the compare them
with the previous run and see if the ARP or DNS entries changed.

On a fairly static network, the ARP entries should not change, or the
changes might be traceable to a move to a different switch or access point.
The DNS entries for large sites may change depending on a round-robin load
balancing and other external factors.

The next time this happens run "arp -a" (both Windows and Linux) and
"nslookup <site_name_they_tried_to_visit>" and see if these changed from
previous runs.

If this is limited to only a few systems (i.e. only windows workstations, or
only Windows systems period), it's possible the systems got infected with a
DNS or /etc/hosts altering trojan...


***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
   (Who can watch the watchmen?)
   -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
   -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************

More information about the OLUG mailing list